Category Archives: Anti-Forensics

Beyond good ol’ Run key, Part 94

Posted on by

This is a short post to cover a ‘new feature’ of Windows 10 that some users complain about online.

When you use this ugly system for a while, and at some time need to restart it, you may notice that sometimes applications that are running prior to restart are re-launched after you log on.

A good example is Regedit. If you open it, restart the system, the application will be re-launched after the reboot.

How does the Windows 10 know which processes to re-launch after the reboot?

Prior to restart the system populates the RunOnce key adding a list of items in a form of:

  • HKCU\SOFTWARE\Microsoft\
    Windows\CurrentVersion\
    RunOnce\Application Restart #N
    =<Application Path>

where N is a number (the code is inside the winsrvext.dll).

So, if you come across entries like this, at least we can guess where they come from.

Now, how does the OS actually know which programs to restart?

If you ever used OSX you may be familiar with the a cool feature of re-opening currently opened applications after the reboot. Could that be that Windows 10 is following this path? Turns out that the truth is far more boring. This is actually not a Mac OSX-like feature at all. The OS simply grabs a list of programs that called the RegisterApplicationRestart API during their run-time, and only these will be added to the RunOnce key.

Last, but not least, I have no idea why Regedit calls this API at all…

btw. I am getting old, I covered it in the past here, although in a different context.

Beyond good ol’ Run key, Part 93

Posted on by

I was pretty surprised to find this one as I have looked at kernel32.dll many times before. Seeing a code branch that is responsible for enumerating registry subkeys and loading the DLLs, and one that has not been discussed before, is a rare treat so it immediately found its way to this series…

The actual code resides inside the NotifyUILanguageChange API. Despite MS claiming that it is unsupported it is still being used internally by a number of components. Chances for it to go away soon are probably low. As far as I can tell, the function in question is called when certain system settings are changed – I will show you how to trigger it in a second 🙂

The code enumerates entries under this Registry key:

  • HKLM\System\CurrentControlSet\
    Control\MUI\CallbackDlls\
    {ENTRY}\DllPath=<DLL>

On Windows 7, we can see a number of these entries:

and Windows 10 has even more – I really doubt this code is going away:

Each entry includes the DllPath that points to a library. The only requirement is that all these libraries must be signed…

Now, how to trigger it?

It’s simple: just change the system locale…

Once you do that, you can observe Procmon log showing the enumeration:

Again, the exact criteria when the DLLs are loaded and how are not clear to me, and there may be other times when the code is triggered, but finding these out is a homework exercise for the reader 😉

It’s certainly not the best persistence mechanism, but yet another place to look at, just in case…